Why do I have a different result using curl or data input?

Clovisa — Fri, 06 Apr 2018 08:34:38 GMT

Hi,

I noticed something strange. When I upload the following JSON by the Splunk Web interface, using he json_sales sourcetype described below, the "Date" field is set as timestamp (which is what I want).
But when I try to push the same JSON line via HTTP event collector, the timestamp that is set is the indexation time. Where does it come from? How can I set the "Date" field as a timestamp while using HTTP? Thank you!

 JSON

    {"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}

props.conf

[json_sales]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = Date
TIME_FORMAT = %Y-%m-%d
category = Structured
disabled = false
pulldown_type = true

cURL

curl -k  http://splunk:8088/services/collector -H "Authorization: Splunk 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX" -d '{"sourcetype": "json_sales", "event": {"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}}'

inputs.conf in splunk_httpinput/local

[http://Vente]
disabled = 0
index = sales
token = 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX
sourcetype = json_sales

Re: Why do I have a different result using curl or data input?

p_gurav — Fri, 06 Apr 2018 09:10:01 GMT

Is your props.conf file in splunk_httpinput/local path?

Re: Why do I have a different result using curl or data input?

Clovisa — Fri, 06 Apr 2018 10:02:34 GMT

It wasn't initially, I just moved it and tried but I still don't have the right timestamp

topic Re: Why do I have a different result using curl or data input? in Getting Data In

Why do I have a different result using curl or data input?

Re: Why do I have a different result using curl or data input?

Re: Why do I have a different result using curl or data input?